Six employees of Bitstamp were targeted in a weeks-long phishing attempt leading up to the theft of roughly $5m in bitcoin in January, according to an unconfirmed incident report said to be drafted internally by the bitcoin exchange.
The confidential document, posted to Reddit by a single-purpose account, offers an in-depth look into what is believed to be the inside story of the hack, which resulted in the loss of just under 19,000 BTC earlier this year. Since then, the company has offered scant details on what took place behind the scenes, citing confidentiality regarding the investigation into the lost funds.
The report’s findings are notable as they illustrate the risks facing bitcoin exchanges, including social engineering attacks in which personal information is used to trick victims into providing a means of access to sensitive materials.
In the case of Bitstamp, those behind the attack used Skype and email to communicate with employees and attempt to distribute files containing malware by appealing to their personal histories and interests. Bitstamp’s system became compromised after systems administrator Luka Kodric downloaded a file that he believed had been sent by a representative for an organization that was seeking his membership.
The report, attributed to Bitstamp general counsel George Frost, explained:
Ultimately, the attackers were able to access two servers containing the wallet.dat file for Bitstamp’s hot wallet and the passphrase for that file.
The information contained in the report is said to be sourced from a third-party investigation conducted by digital forensics firm Stroz Friedberg, as well as from investigators working for the US Secret Service, the Federal Bureau of Investigation and UK-based cybercrime authorities.
As of the report’s drafting, the investigation into the hack was still ongoing but an arrest was expected in the near future. The report alludes to an effort by investigators to create "a ‘honey trap’ to lure [the attacker] into the UK in order to make an arrest."
Bitstamp declined to comment on the authenticity of the report when reached. A representative for Stroz Friedberg was not immediately available for comment.
Extended phishing attempt
According to the report, the earliest phishing attempt took place on 4th November, when one of the attackers contacted Bitstamp chief technology officer Damian Merlak offering free tickets to a punk rock festival.
Chief operating officer Miha Grcar was contacted by Skype in mid-Novemer by someone posing as a reporter. In that exchange, the individual cited past articles written by Grcar when he himself was a reporter covering news in Greece.
The report notes:
Two days prior, Bitstamp support manager Anzej Simicak was also reached by way of Skype, and in that instance the attacker posed as someone seeking more information on RippleWise, a project for which Simicak acts as COO.
In early December, several more Bitstamp staff members were contacted, including Kodric, whose account was ultimately compromised. Employee Miha Hrast’s computer was then compromised after being messaged on Skype, though he did not have access privileges for the servers.
After Kodric’s computer was infiltrated, according to the report, additional malicious files were created between 17th and 22nd December. On 23rd December, Kodric’s account was used to log in to the server that held the wallet.dat file.
On 29th December, the attackers leveraged Kodric’s computer to access the servers containing the wallet.dat file and the wallet passphrase.
“We suspect that the attacker copied the bitcoin wallet file and passphrase at this stage, due to the correlation between the size of these files and the size of the data transfer seen on the logs,” the report notes. “Although the actual content of the transfers cannot be confirmed from the logs available.”
Less than a week later, the report continues, the wallet was emptied, noting:
Bitstamp moved quickly to assess and mitigate the damage, according to report, issuing a company-wide alert and establishing an incident response team. The company became aware of the theft on the evening of 4th January, and after auditing the servers discovered the 29th December entry and the data transfer.
Stroz Friedberg began its investigation on 8th January, operating out of the company’s Slovenian office.
The report notes:
The report added that Bitstamp “decided to deploy our distribution network using Amazon cloud infrastructure servers located in Europe” during that time.
Bitstamp lost 18,866 BTC from its hot wallet, worth approximately $5,263,614 at a time when the price of bitcoin averaged $279.
Yet the damage went beyond the bitcoins in the hot wallet, the report explained, noting:
Additional costs include $250,000 paid to the Stroz Friedberg team, $250,000 paid to developers to rebuild the platform and $150,000 in consulting and advisory fees. The costs, including those paid to Stroz Friedberg, "are continuing to accrue", according to the report.
In the wake of the attack, the exchange now utilizes multi-sig wallet access and has contracted Xapo to handle its cold wallet storage.
Despite the losses and the alleged reputational damage, the company framed the incident as a learning experience, concluding:
Confidential papers image via Shutterstock
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.